Appfluence Responsible Disclosure Policy

At Appfluence, we value the security of our users, and we recognize the role that security researchers play in ensuring that Priority Matrix maintains the highest standards of security. We are committed to collaborating with this community to verify, reproduce, and respond to any legitimate reported vulnerabilities.

To encourage responsible disclosure, we've established a Bug Bounty Program that rewards security researchers for identifying and reporting vulnerabilities in our software. This policy outlines the guidelines of this program.

Scope

This program strictly applies to our SaaS tool Priority Matrix (domains prioritymatrix.com and sync.appfluence.com). Any vulnerabilities identified in our marketing website, staging or development environments, corporate infrastructure, or any other non-essential systems, fall outside this policy and will not be eligible for a reward.

Rewards

We offer a scaled reward system for vulnerabilities reported:

  • Medium severity: $50 USD
  • High severity: $100 USD
  • Critical severity: $200 USD

The severity level will be determined by our team upon reviewing the report, taking into account the risk and potential impact associated with the vulnerability. The severity score will be weighed by its ease of exploitation. For example, a high-severity vulnerability could be downgraded to medium or low if it requires a potential victim to perform multiple steps in order to work. We will make our best effort to classify the severity of the reported vulnerability. Please note that our decision cannot be appealed.

The following is a guideline and some examples of our severity classification process. Note that the examples are given as general guidance and are not a guarantee of classification or reward:

  • Critical: Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices. Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user into performing any special functions. Additionally, it’s easy to apply at scale. Example: Remote Code Execution, SQL Injection, Server-Side Request Forgery.
  • High: The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime. Or the exploit could be easy to exploit against a single user, but not at scale. Example: Cross Site Scripting (XSS), Server-Side Template Injection, XML External Entity (XXE) attacks.
  • Medium: They may require the attacker to manipulate individual victims via social engineering tactics. Denial of service vulnerabilities that are difficult to set up. Exploits that require an attacker to reside on the same local network as the victim. Exploitation provides only very limited access. Require user privileges for successful exploitation. Example: Cross-Site Request Forgery (CSRF), Clickjacking, Unvalidated Redirects and Forwards.
  • Low: Low-severity vulnerabilities may not directly lead to data loss or server compromise, but could potentially provide information or access that could be used in conjunction with other vulnerabilities to escalate to a higher severity level. These could include vulnerabilities such as exposure of non-sensitive data, version leaks, and non-exploitable Cross-Site Scripting (XSS) vulnerabilities, for example, those that only affect outdated browsers.

Please note that we do not offer rewards for reports of low severity or for outdated library versions. We have established processes to mitigate these publicly known issues. Additionally, in order to qualify, reports need to refer to exploitable vulnerabilities, not mitigated by additional security measures, such as 2FA.

As a company policy, we do not offer any other rewards such as public acknowledgements, mentions in a hall of fame, etc. This is an executive decision that will not be reconsidered. Please do not insist.

The Bug Bounty Program does not imply a guarantee of payment. Even if all program conditions are met, any reward decision remains at the discretion of Appfluence.

In addition to monetary rewards, each valid submission may receive a free, one-year license to Priority Matrix Business, our highest-value offering. This is a good-faith reward that’s not transferrable, and cannot be exchanged for cash.

Reporting

To report a vulnerability, please:

  1. Email your findings to support@appfluence.com. Please include as much information as possible about the vulnerability, including the steps to reproduce it.
  2. Allow us a reasonable amount of time to address the issue before you disclose it elsewhere.
  3. Ensure that your testing does not violate any laws, or disrupt or compromise any data that is not your own.

Eligibility

To qualify for a reward, you must:

  1. Be the first person to report a valid, complete report about a specific vulnerability. Note that a vulnerability might have been reported and captured internally already, even if it’s not yet resolved. This means that, since we aim to process submissions in the order that we receive them, it’s possible that a submission is not considered valid because another (still unprocessed) submission has addressed the specific issue in your report.
  2. Report an issue that’s significantly different from others already in the system. For example, and issue with /api/XYZ will not be considered valid if an equivalent issue was already reported for /api/ABC.
  3. Provide sufficient information to enable us to reproduce and understand the vulnerability.
  4. Not disclose the vulnerability to others outside Appfluence, even beyond the verification process.
  5. Not exploit the vulnerability beyond what is necessary to produce a proof-of-concept.
  6. Not violate any laws during your testing.
  7. Not have any familial, business, or personal friendship relationships with Appfluence staff.

Duplicate Submissions and Identity

Submitting the same or nearly identical issues by the same individual, especially if using separate email addresses to appear as a different person, is considered a violation of this policy. Any such attempts will result in automatic disqualification from participating in this Bug Bounty Program.

Order of Received Reports

To be eligible for a reward, researchers must ensure that their submission is successfully received by our team. We prioritize reports based on the order in which they are successfully received by our email system. Please note that if an email report is flagged as spam, dropped by our incoming email system, or otherwise not noticed, it will not be considered as successfully received. In such cases, if a separate report on the same issue is successfully received afterward, we will prioritize the report that was first successfully received.

Researchers are encouraged to verify receipt of their submissions and use email addresses that have not been tainted with spam reports to ensure their reports are successfully received.

Explicit exceptions and considerations

Independently of whether a report falls in one or another category, the following exceptions to the rules above apply, automatically disqualifying certain types of report:

  1. Vulnerabilities that are reasonably similar to one another will be considered as a single submission.
  2. Vulnerabilities that are known to our team and the result of a business decision to trade ease of use for legitimate users against a minimal security degradation. For example, allowing new users to utilize the platform without validating their email first.
  3. Vulnerabilities that arise from users storing malicious files.
  4. CSV formula injection vulnerabilities.
  5. If during the process of vulnerability discovery, researchers were to cause service disruption or in any other way harm Appfluence customers, no reward will be granted regardless of the severity level.
  6. Reports that are solely based on automated tools without verification or demonstration of the exploitability of the issue.
  7. Findings related to software or systems not under Appfluence’s control, such as third-party components or services.
  8. Issues that only affect users on outdated or unsupported platforms or browsers.
  9. Vulnerabilities that rely solely on social engineering tactics without involving any technical flaws in the system.
  10. Vulnerabilities arising from the leakage of private URLs by users, intentionally or otherwise. For example, someone’s anonymous link to view an item or project in read-only mode.
  11. Issues related to best practices, code quality, or those that require an unrealistic or highly contrived scenario to exploit them.
  12. Any vulnerability requiring local access to a user’s network or email account, or Appfluence’s premises.
  13. HTTP to HTTPS Redirects: Vulnerabilities based solely on the presence of HTTP links that auto-redirect to HTTPS.
  14. DNS configuration options that have been intentionally left blank or unused (CAA, DNSSEC, etc).
  15. Self-XSS that cannot be used to exploit other users.
  16. Denial-of-Service attacks.
  17. Physical attacks against Priority Matrix offices and data centers.
  18. Social engineering attacks against Priority Matrix employees.
  19. Attacks that rely on mishandling of data by external services (such as OpenAI, Sendgrid, or others).

Privacy and Confidentiality

Due to privacy and confidentiality requirements, we do not provide appreciation letters or other forms of written acknowledgment that could be used for external validation of the findings. Our focus is on ensuring the security of Priority Matrix and protecting our users. As such, rewards such as monetary compensation or complimentary Priority Matrix licenses will serve as our sole acknowledgment of valid contributions to our Bug Bounty Program.

Legal

You must comply with all applicable laws in connection with your participation in this program. You are responsible for any tax implications or additional restrictions related to rewards in your country of residence. The preferred payment method is by credit card, so it is recommended that you provide a suitable payment link, for example via Stripe, Square or similar.

Appfluence reserves the right to modify, adjust, or terminate this program at any time, without explanation or warning.

We thank you for your valuable contribution towards keeping Priority Matrix secure and ensuring the safety of our users!